Many of you might think I'm just trolling based on previous posts, but no sadly I'm not. I'm just bringing up some very serious issues that should be dealt with NOW rather than later.

An exchange uses a database to store everyones information, such as the amount of BTC you have. Say the exchange has 1000 BTC total from a spread of 100 users. Someone hacks the database (or the site/owner changes the database) and adds a user and sets his BTC amount to 1000 BTC -- even though those BTC don't actually exist.

This user can now proceed to sell, buy, cashout ect. -- All without being noticed as long as more and more users use the site. Now, if one day the user base becomes too low or everyone decides they need to cash out -- IT WILL NOT BE POSSIBLE.

A system in place needs to be acted upon on all the exchanges ASAP. I call upon them to do this for the safely of BTC and its users.

=====

When a user registers an account, they need to be assigned a permanent bitcoin address that the user can send BTCs to, and request to withdraw BTCs from.

This prevents a database to become compromised with BTC amount because the bitcoin address can be looked up at any time on blockexplorer to see the amount of BTC that address carries.

When users buy and sell BTC, information on every transaction needs to include the bitcoin address of the user those bitcoins were bought from -- again so anyone can verify they are legit.

The above basically creates a system anyone can verify is legit.

The next problem is verifying if they actually have all the cash. I can't really think up a good solution for this than to have trusted 3rd party check the financial information -- which is much needed.

I think you bring up very valid points worth investigating. What you are essentially describing is what is called "counter-party risk" - which means you are at risk of the other party not honoring their obligation to you. This is one more reason to hold and store your bitcoin in your own "bank" (wallet) where no one owes you and no one can default on you.

When Mt gox was on The bitcoin show they briefly described the ultimate solution to this very problem. Simply put "Decentralized Exchange" working on the same principle as bitcoin. this solution would eliminate the need to trust an organization. i hope mt gox will be able to achieve such a trading system.

Actually, the title of your post is incorrect. "Any virtual bitcoin storage can act like a bank" would be more accurate.

Example of an online storage that's not an exchange and still presents the same risk as you describe: mybitcoin.com.

Example of exchange that's only partially an online storage and thus partially presents the risks: bitmarket.eu. They don't store fiat currency (the buyer pays directly to the seller), and it's easy and free to cash bitcoins in and out.

The advantage of bitcoin is that anyone can (and should) store their bitcoins locally and thus be their own bank. Keeping the same old behaviour of having someone store big amounts of money will always induce the same problem, whatever the currency. If you don't own a computer or trust yourself to keep them secure, ask a friend to store them for you. I'm actually storing bitcoins for a friend of mine, who didn't want to rely on a service like mybitcoin.com.

Actually, the title of your post is incorrect. "Any virtual bitcoin storage can act like a bank" would be more accurate.

Example of an online storage that's not an exchange and still presents the same risk as you describe: mybitcoin.com.

Example of exchange that's only partially an online storage and thus partially presents the risks: bitmarket.eu. They don't store fiat currency (the buyer pays directly to the seller), and it's easy and free to cash bitcoins in and out.

The advantage of bitcoin is that anyone can (and should) store their bitcoins locally and thus be their own bank. Keeping the same old behaviour of having someone store big amounts of money will always induce the same problem, whatever the currency. If you don't own a computer or trust yourself to keep them secure, ask a friend to store them for you. I'm actually storing bitcoins for a friend of mine, who didn't want to rely on a service like mybitcoin.com.

Exactly. I encourage people to only store the amount they're likely to trade on the exchange. That goes for TradeHill, Mt Gox or anywhere else.In the future if we offer features that make use of the BTC stored on the exchange that might change but at this point I don't encourage it. If you're not sure how to secure your wallet and feel safer with someone else holding your coins that's another story.-Jered

When Mt gox was on The bitcoin show they briefly described the ultimate solution to this very problem. Simply put "Decentralized Exchange" working on the same principle as bitcoin. this solution would eliminate the need to trust an organization. i hope mt gox will be able to achieve such a trading system.

And how exactly would a "decentralized exchange" work? I don't see how this computes with the need for a bank account to accept fiat currency.

An exchange uses a database to store everyones information, such as the amount of BTC you have. Say the exchange has 1000 BTC total from a spread of 100 users. Someone hacks the database (or the site/owner changes the database) and adds a user and sets his BTC amount to 1000 BTC -- even though those BTC don't actually exist.

This user can now proceed to sell, buy, cashout ect. -- All without being noticed as long as more and more users use the site. Now, if one day the user base becomes too low or everyone decides they need to cash out -- IT WILL NOT BE POSSIBLE.

A system in place needs to be acted upon on all the exchanges ASAP. I call upon them to do this for the safely of BTC and its users.

This is trivially done. Check the total of BTC in the DB and compare it to the exchanges BTC wallet(s). Perhaps before each withdrawal.It's most likely the exchanges have many such checks already in their code.

Are you suggesting the exchange should operate directly by depositing BTC as trades occur? I guess you can't be - because that would be utterly impractical due to the slowness - and would mean that if things were hacked/glitched - there'd be no repair possible via rollback.(reverted trades do occur on standard exchanges - happened on NASDAQ earlier this year due to glitch apparently)

I'm not clear on how the addresses you talk about allow us to verify things are legit - to me it sounds unlikely to be useful. Please give an example of a previously empty exchange followed by a single trade between two users, and what is where in your scenario.

An exchange uses a database to store everyones information, such as the amount of BTC you have. Say the exchange has 1000 BTC total from a spread of 100 users. Someone hacks the database (or the site/owner changes the database) and adds a user and sets his BTC amount to 1000 BTC -- even though those BTC don't actually exist.

This user can now proceed to sell, buy, cashout ect. -- All without being noticed as long as more and more users use the site. Now, if one day the user base becomes too low or everyone decides they need to cash out -- IT WILL NOT BE POSSIBLE.

A system in place needs to be acted upon on all the exchanges ASAP. I call upon them to do this for the safely of BTC and its users.

This is trivially done. Check the total of BTC in the DB and compare it to the exchanges BTC wallet(s). Perhaps before each withdrawal.It's most likely the exchanges have many such checks already in their code.

Are you suggesting the exchange should operate directly by depositing BTC as trades occur? I guess you can't be - because that would be utterly impractical due to the slowness - and would mean that if things were hacked/glitched - there'd be no repair possible via rollback.(reverted trades do occur on standard exchanges - happened on NASDAQ earlier this year due to glitch apparently)

I'm not clear on how the addresses you talk about allow us to verify things are legit - to me it sounds unlikely to be useful. Please give an example of a previously empty exchange followed by a single trade between two users, and what is where in your scenario.

This is trivially done. Check the total of BTC in the DB and compare it to the exchanges BTC wallet(s). Perhaps before each withdrawal.It's most likely the exchanges have many such checks already in their code.

Exactly, it's simple to compare how many BTC are actually there to how many should be.If any of the other exchanges aren't doing that I'll be surprised and disappointed. -Jered

This is trivially done. Check the total of BTC in the DB and compare it to the exchanges BTC wallet(s). Perhaps before each withdrawal.It's most likely the exchanges have many such checks already in their code.

Exactly, it's simple to compare how many BTC are actually there to how many should be.If any of the other exchanges aren't doing that I'll be surprised and disappointed. -Jered

The point is allow customers to verify their account BTC balances independently of the exchange. This can be done by assigning each customer a single wallet address. The customer can check their balance using block explorer. If money in the wallet doesn't match the customers accounting, thena) their account has been hacked, or b) the exchange is using a fractional reserve

This is trivially done. Check the total of BTC in the DB and compare it to the exchanges BTC wallet(s). Perhaps before each withdrawal.It's most likely the exchanges have many such checks already in their code.

Exactly, it's simple to compare how many BTC are actually there to how many should be.If any of the other exchanges aren't doing that I'll be surprised and disappointed. -Jered

The point is allow customers to verify their account BTC balances independently of the exchange. This can be done by assigning each customer a single wallet address. The customer can check their balance using block explorer. If money in the wallet doesn't match the customers accounting, thena) their account has been hacked, or b) the exchange is using a fractional reserve

If everyone knows the exchange has a fractional reserve it's not a bad thing.If they're doing it without saying so that's another issue.

We've talked about doing something along those lines (the wallets).I don't write the code so I'm not sure how difficult it would be to have individual wallets. I would be interested in any solutions people can come up with though.

This is trivially done. Check the total of BTC in the DB and compare it to the exchanges BTC wallet(s). Perhaps before each withdrawal.It's most likely the exchanges have many such checks already in their code.

Exactly, it's simple to compare how many BTC are actually there to how many should be.If any of the other exchanges aren't doing that I'll be surprised and disappointed. -Jered

The point is allow customers to verify their account BTC balances independently of the exchange. This can be done by assigning each customer a single wallet address. The customer can check their balance using block explorer. If money in the wallet doesn't match the customers accounting, thena) their account has been hacked, or b) the exchange is using a fractional reserve

This is my point exactly, you also get the TRANSACTIONS when you buy bitcoins they will list everyones wallet that you bought from.

Saying just to look at their wallet is stupid. Obviously when you take BTC some will come out, but you don't really know what the database says they have.

If everyone knows the exchange has a fractional reserve it's not a bad thing.If they're doing it without saying so that's another issue.

We've talked about doing something along those lines (the wallets).I don't write the code so I'm not sure how difficult it would be to have individual wallets. I would be interested in any solutions people can come up with though.

-Jered

The system is useful because it provides transparency. The question of whether fractional reserves are desirable is not relevant.Transparency is useful with a fractional reserve too.

E.g. Suppose that the exchange promises to hold a minimum of 30% as a BTC reserve against all its bitcoin liabilities. Each customer is assigned a unique block explorer address that holds exactly 30% of their account balance.

If this account is not at exactly 30% of the account balance, then the customer will know that either:a) the exchange has been hacked, or b) the exchange is not holding a 30% BTC reserve.

Again, customers should be able to audit exchanges using block explorer. That is what the technology is there for.

If everyone knows the exchange has a fractional reserve it's not a bad thing.If they're doing it without saying so that's another issue.

We've talked about doing something along those lines (the wallets).I don't write the code so I'm not sure how difficult it would be to have individual wallets. I would be interested in any solutions people can come up with though.

-Jered

The system is useful because it provides transparency. The question of whether fractional reserves are desirable is not relevant.Transparency is useful with a fractional reserve too.

E.g. Suppose that the exchange promises to hold a minimum of 30% as a BTC reserve against all its bitcoin liabilities. Each customer is assigned a unique block explorer address that holds exactly 30% of their account balance.

If this account is not at exactly 30% of the account balance, then the customer will know that either:a) the exchange has been hacked, or b) the exchange is not holding a 30% BTC reserve.

Again, customers should be able to audit exchanges using block explorer. That is what the technology is there for.

Your turning an exchange into a bank, which isn't what we want, though with this you can also do what your saying as well.